[Muscle] certificate error using DoD CAC
with Firefox or Thunderbird
Kevin Reinholz
kreinholz at gmail.com
Mon Nov 26 16:54:30 PST 2007
Thank you for the explanation!
I will go the coolkey route, then. It was easy to get it to build, there
was just that linker issue. I did not define PKG_CONFIG_PATH the handful
of times I compiled coolkey, so it is definitely worth a try.
I'll mess around with coolkey on my own for a bit and report back.
Hopefully I'll be able to provide confirmation of a successful coolkey
test on FreeBSD.
Todd Denniston wrote:
> Summary: ditch commonAccessCard.bundle, and use CoolKey.
> If you are having trouble building CoolKey, I suggest asking about the
> errors you are seeing either here or at
> https://www.redhat.com/mailman/listinfo/coolkey-devel
>
> IIRC the biggest trick to getting CoolKey to build was defining
> PKG_CONFIG_PATH before doing the ./configure
> i.e., export PKG_CONFIG_PATH=$INSTALL_PREFIX/lib/pkgconfig
> where pcscd's INSTALL_PREFIX=/usr/local
>
>
> Kevin Reinholz wrote, On 11/25/2007 10:12 PM:
> <SNIP>
>>
>> I wonder if the issue is truly with Firefox/Thunderbird/Seamonkey, in
>> other words Mozilla's NSS, or if the problem is related to
>> libmusclepkcs11 and/or commonAccessCard.bundle.
>
> Unless you are working with a "SmartCardServices"
> commonAccessCard.bundle source newer than ~April 2006, the problem is
> with commonAccessCard.bundle + libmusclepkcs11.
>
> <SNIP muscletool output that indicates pcscd is working well with the
> card.>
> The only thing nice about the commonAccessCard.bundle was that with
> muscletool you could look at the DEERS personnel data, i.e., blood
> type, birthday, SSN, Exchange Privileges...
>
>>
>> Clearly my CAC is being read, the muscle framework recognizes when I
>> enter my PIN correctly, and I can display the certificates loaded on
>> my CAC. That would seem to imply that the problem lies elsewhere.
>>
>
> True.
>
>> I go to AF Portal or AFMC webmail, I'm prompted for a certificate and
>> I can choose between my e-mail and non-e-mail certificate, I'm
>> prompted for my PIN which I enter correctly, and then I receive that
>> cryptic Error code -12222 pertaining to NSS. Very frustrating to be
>> so close yet not quite there.
>>
>> There is also the option of going back and trying to get libcoolkey
>> to link against libpcsclite, then seeing if I have better luck using
>> libcoolkey.so as a security module. However, it seems to me that
>> libmusclepkcs11 is working fine, and the problem lies with Mozilla's
>> NSS or Firefox's handling of certificates.
>>
>> Either route is an adventure. . .
>>
>
> Those of us who went through getting CAC to work under Linux early
> on[0] had many of the same problems you are seeing.
> My own impression of commonAccessCard.bundle + libmusclepkcs11 was
> that it was _very_ brittle. locally we had patches[1] against
> pam_pkcs11 and libmusclepkcs11 that pretty much made it sort of work
> OK for pam_pkcs11, it never worked well under Mozilla products.
>
> very soon after trying coolkey and seeing it work with several of the
> applications we needed it to work with[1], I think most folks stopped
> messing with libmusclepkcs11 [2], probably because
> commonAccessCard.bundle 1) did not work as well as coolkey, and 2) was
> not distributed under a license which did not permit nice patching and
> sharing.
>
> The adventure was easier with the CoolKey route, and the reward was
> that it worked.
>
> [0] http://lists.drizzle.com/pipermail/muscle/2006-July/005643.html
> http://lists.drizzle.com/pipermail/muscle/2006-July/005609.html
> [1] http://lists.drizzle.com/pipermail/muscle/2006-July/005641.html
> [2] http://lists.drizzle.com/pipermail/muscle/2006-August/005659.html
> http://lists.drizzle.com/pipermail/muscle/2006-July/005614.html
>
>
More information about the Muscle
mailing list